Remote WMI With Read-Only Account

As a general rule, all Exoprise components operate in read-only mode. In most trial environments, running the Exoprise components as domain admin is the quickest installation option. If using a domain admin account isn’t acceptable, please follow the steps below to operate Exoprise components in a least privilege configuration.

In addition to read-only access to Active Directory (AD), Active Directory Federated Service (ADFS), or Exchange Server endpoints, some Exoprise components require Windows Management Instrumentation (WMI) access. WMI gives Exoprise access to the performance counters exposed by the target machine. Information collected via WMI is often a critical component of the overall service health. Therefore, a least privilege configuration will require that WMI access is provided to Exoprise components. The steps below were authored to detail how you would enable access to WMI providers for Exoprise components without using Administrator-level accounts in your Active Directory domain or forest.

The steps below were based on a Windows Server 2003 R2 Active Directory domain controller. Exact procedure steps may differ slightly if you are using Windows Server 2008 or 2012, Windows 7, or Windows Vista.

Prerequisites

1. Full administrator rights to the domain or forest in which you will be making the changes
2. Administrator rights to all servers in your AD for which you wish to enable WMI access

Group Membership, Security Policy Assignments And Permissions

1. 1. If you haven’t already done so, create a domain account that will represent the user that Exoprise will run as in your environment.
   2. Create a domain group that will receive all of the rights that the Exoprise user needs.
      Note: As a best practice, always assign permissions to a domain group instead of directly to a user account.
   3. Put the Exoprise user into this newly-created group.
   4. Put the newly created Exoprise group into the following domain groups:
      Performance Log Users
      Distributed COM Users
   5. Run one of the following three Microsoft Management Console (MMC) snap-ins:
      • the Local Security Policy snap-in (secpol.msc) for member servers, or
      • the Default Domain Security Policy snap-in (dompol.msc) if you wish to configure these settings domain-wide as a GPO, or
      • the Default Domain Controller Security Settings snap-in (dcpol.msc) if you wish to assign the rights only on domain controllers.

1. Once the snap-in is started, expand Security Settings, then Local Policies, and finally User Rights Assignment.
2. Assign your new group at least the following rights:
   • Act as part of the operating system
   • Log on as a batch job
   • Log on as a service
   • Replace a process level token
3. Exit the Policy Settings utility.

Distributed Component Object Model Rights Assignments

Configure DCOM security for the Exoprise group.

1. Run Component Services by selecting Start -> Administrative Tools -> Component Services.
2. Once there, expand Console Root, then Computers, and finally My Computer. Right-click on My Computer and select Properties…
3. In the window that appears, click on the COM Security tab.
4. Under Access Permissions, click Edit Limits.
5. Review that the Distributed COM Users group has all items checked under Allow.
6. (optional) Add the Exoprise group to this list and ensure that they have full Allow access as well.
   • Note: This step is not required, since the Exoprise group is a member of Distributed COM Users.
7. Once you’ve reviewed the presence of Distributed COM Users, or added the Exoprise group, click OK to save your changes and be returned back to the COM Security tab.
8. Now, under “Launch and Activation Permissions”, click Edit Limits.
9. Like with the “Access Permissions” window, you are presented with a list of groups and permissions. You need to make sure that the Distributed COM Users group has all items checked under Allow.
10. (optional) Add the Exoprise group here, and assign full Allow access.
    • Note: This step is not required, since the Exoprise group is already a member of Distributed COM Users.
11. Click OK to save your changes.
12. Exit the Component Services utility.
    .

WMI Namespace Security Assignments

Set WMI namespace security so that the Exoprise group has access to WMI objects.

1. From the Start menu, select Run…, and in the window that opens, type in wmimgmt.msc in the “Open:” field and click OK.
2. Once there, right-click on WMI Control (Local) and click Properties.
3. Click on the Security tab.
4. Click on the Security button at the bottom right of the window. This action edits the security settings for the Root WMI namespace.
5. You’ll now see a window that has the security settings for WMI on this machine. Click Advanced…
6. You’ll now see the Advanced security settings for this WMI namespace. Add the Exoprise group to the list, and give at least the following “Allow” permissions:
   • Execute Methods
   • Enable Account
   • Remote Enable
   • Read Security
   • Note: Make sure that these permissions apply to this namespace and all the namespaces under it. Do that by selecting This namespace and subnamespaces in the dropdown box above the permissions list window.
7. Click OK to save the new permissions.
8. Then, click OK again to exit out of the Advanced Security Settings.
9. Click OK a third time to exit the security properties.

Firewall Changes, UAC, Restarts And Testing

Now that you’ve set WMI namespace security, you need to make sure that Windows Firewall is not blocking WMI traffic.

1. Make sure that you’ve either disabled or configured Windows Firewall services on both the Exoprise endpoints and on the server you wish to get data from over WMI.
   • Enabling and disabling Windows Firewall in Windows Server 2003 (TechNet)
   • Enabling and disabling Windows Firewall in Windows Server 2008, Windows Vista and Windows 7 (TechNet)
   • Note: If you do not have permission to disable Windows Firewall/ICS on servers on your network, then you must explicitly configure it to allow WMI traffic. See your system administrator for information on how to do this.
2. If you’re running Windows Server 2008 or 2012, Windows Vista, or Windows 7, you’ll need to make changes to or disable User Account Control settings.
   • Review this MSDN article on the interaction between UAC and WMI.
3. Rebooting the endpoints that have Exoprise components installed will force the security changes above to take effect. This is required because the Exoprise user logs into the domain – and only then gets a new authentication token – at service start.

After the Exoprise endpoint has been restarted, you should then be able to make WMI calls to the remote servers configured above.

If you are configuring a non-administrator Exoprise user for a large AD forest, you may need to wait a short time while AD replication takes place – up to 15 minutes – before remote queries over WMI will work.

Summary

Exoprise components operate in read-only mode when communicating with Active Directory (AD). Additional components within Sensor query the server via the Windows Management Instrumentation (WMI) interfaces and this functionality requires specific privileges on the server.

In a lab environment it is often easier to use a Domain Admin account for the Sensor installation credentials because the AD and WMI functionality runs smoothly as Domain Admin. The preferred way in a production environment is to limit and restrict the permissions of the Sensor account as detailed above.